• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // This is mozilla/security/manager/ssl/src/md4.c, CVS rev. 1.1, with trivial
2 // changes to port it to our source tree.
3 //
4 // WARNING: MD4 is cryptographically weak.  Do not use MD4 except in NTLM
5 // authentication.
6 
7 /* vim:set ts=2 sw=2 et cindent: */
8 /* ***** BEGIN LICENSE BLOCK *****
9  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
10  *
11  * The contents of this file are subject to the Mozilla Public License Version
12  * 1.1 (the "License"); you may not use this file except in compliance with
13  * the License. You may obtain a copy of the License at
14  * http://www.mozilla.org/MPL/
15  *
16  * Software distributed under the License is distributed on an "AS IS" basis,
17  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
18  * for the specific language governing rights and limitations under the
19  * License.
20  *
21  * The Original Code is Mozilla.
22  *
23  * The Initial Developer of the Original Code is IBM Corporation.
24  * Portions created by IBM Corporation are Copyright (C) 2003
25  * IBM Corporation. All Rights Reserved.
26  *
27  * Contributor(s):
28  *   Darin Fisher <darin@meer.net>
29  *
30  * Alternatively, the contents of this file may be used under the terms of
31  * either the GNU General Public License Version 2 or later (the "GPL"), or
32  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
33  * in which case the provisions of the GPL or the LGPL are applicable instead
34  * of those above. If you wish to allow use of your version of this file only
35  * under the terms of either the GPL or the LGPL, and not to allow others to
36  * use your version of this file under the terms of the MPL, indicate your
37  * decision by deleting the provisions above and replace them with the notice
38  * and other provisions required by the GPL or the LGPL. If you do not delete
39  * the provisions above, a recipient may use your version of this file under
40  * the terms of any one of the MPL, the GPL or the LGPL.
41  *
42  * ***** END LICENSE BLOCK ***** */
43 
44 /*
45  * "clean room" MD4 implementation (see RFC 1320)
46  */
47 
48 #include "net/http/md4.h"
49 
50 #include <string.h>
51 
52 typedef uint32 Uint32;
53 typedef uint8 Uint8;
54 
55 /* the "conditional" function */
56 #define F(x,y,z) (((x) & (y)) | (~(x) & (z)))
57 
58 /* the "majority" function */
59 #define G(x,y,z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
60 
61 /* the "parity" function */
62 #define H(x,y,z) ((x) ^ (y) ^ (z))
63 
64 /* rotate n-bits to the left */
65 #define ROTL(x,n) (((x) << (n)) | ((x) >> (0x20 - n)))
66 
67 /* round 1: [abcd k s]: a = (a + F(b,c,d) + X[k]) <<< s */
68 #define RD1(a,b,c,d,k,s) a += F(b,c,d) + X[k]; a = ROTL(a,s)
69 
70 /* round 2: [abcd k s]: a = (a + G(b,c,d) + X[k] + MAGIC) <<< s */
71 #define RD2(a,b,c,d,k,s) a += G(b,c,d) + X[k] + 0x5A827999; a = ROTL(a,s)
72 
73 /* round 3: [abcd k s]: a = (a + H(b,c,d) + X[k] + MAGIC) <<< s */
74 #define RD3(a,b,c,d,k,s) a += H(b,c,d) + X[k] + 0x6ED9EBA1; a = ROTL(a,s)
75 
76 /* converts from word array to byte array, len is number of bytes */
w2b(Uint8 * out,const Uint32 * in,Uint32 len)77 static void w2b(Uint8 *out, const Uint32 *in, Uint32 len)
78 {
79   Uint8 *bp; const Uint32 *wp, *wpend;
80 
81   bp = out;
82   wp = in;
83   wpend = wp + (len >> 2);
84 
85   for (; wp != wpend; ++wp, bp += 4)
86   {
87     bp[0] = (Uint8) ((*wp      ) & 0xFF);
88     bp[1] = (Uint8) ((*wp >>  8) & 0xFF);
89     bp[2] = (Uint8) ((*wp >> 16) & 0xFF);
90     bp[3] = (Uint8) ((*wp >> 24) & 0xFF);
91   }
92 }
93 
94 /* converts from byte array to word array, len is number of bytes */
b2w(Uint32 * out,const Uint8 * in,Uint32 len)95 static void b2w(Uint32 *out, const Uint8 *in, Uint32 len)
96 {
97   Uint32 *wp; const Uint8 *bp, *bpend;
98 
99   wp = out;
100   bp = in;
101   bpend = in + len;
102 
103   for (; bp != bpend; bp += 4, ++wp)
104   {
105     *wp = (Uint32) (bp[0]      ) |
106           (Uint32) (bp[1] <<  8) |
107           (Uint32) (bp[2] << 16) |
108           (Uint32) (bp[3] << 24);
109   }
110 }
111 
112 /* update state: data is 64 bytes in length */
md4step(Uint32 state[4],const Uint8 * data)113 static void md4step(Uint32 state[4], const Uint8 *data)
114 {
115   Uint32 A, B, C, D, X[16];
116 
117   b2w(X, data, 64);
118 
119   A = state[0];
120   B = state[1];
121   C = state[2];
122   D = state[3];
123 
124   RD1(A,B,C,D, 0,3); RD1(D,A,B,C, 1,7); RD1(C,D,A,B, 2,11); RD1(B,C,D,A, 3,19);
125   RD1(A,B,C,D, 4,3); RD1(D,A,B,C, 5,7); RD1(C,D,A,B, 6,11); RD1(B,C,D,A, 7,19);
126   RD1(A,B,C,D, 8,3); RD1(D,A,B,C, 9,7); RD1(C,D,A,B,10,11); RD1(B,C,D,A,11,19);
127   RD1(A,B,C,D,12,3); RD1(D,A,B,C,13,7); RD1(C,D,A,B,14,11); RD1(B,C,D,A,15,19);
128 
129   RD2(A,B,C,D, 0,3); RD2(D,A,B,C, 4,5); RD2(C,D,A,B, 8, 9); RD2(B,C,D,A,12,13);
130   RD2(A,B,C,D, 1,3); RD2(D,A,B,C, 5,5); RD2(C,D,A,B, 9, 9); RD2(B,C,D,A,13,13);
131   RD2(A,B,C,D, 2,3); RD2(D,A,B,C, 6,5); RD2(C,D,A,B,10, 9); RD2(B,C,D,A,14,13);
132   RD2(A,B,C,D, 3,3); RD2(D,A,B,C, 7,5); RD2(C,D,A,B,11, 9); RD2(B,C,D,A,15,13);
133 
134   RD3(A,B,C,D, 0,3); RD3(D,A,B,C, 8,9); RD3(C,D,A,B, 4,11); RD3(B,C,D,A,12,15);
135   RD3(A,B,C,D, 2,3); RD3(D,A,B,C,10,9); RD3(C,D,A,B, 6,11); RD3(B,C,D,A,14,15);
136   RD3(A,B,C,D, 1,3); RD3(D,A,B,C, 9,9); RD3(C,D,A,B, 5,11); RD3(B,C,D,A,13,15);
137   RD3(A,B,C,D, 3,3); RD3(D,A,B,C,11,9); RD3(C,D,A,B, 7,11); RD3(B,C,D,A,15,15);
138 
139   state[0] += A;
140   state[1] += B;
141   state[2] += C;
142   state[3] += D;
143 }
144 
145 namespace net {
146 namespace weak_crypto {
147 
MD4Sum(const Uint8 * input,Uint32 inputLen,Uint8 * result)148 void MD4Sum(const Uint8 *input, Uint32 inputLen, Uint8 *result)
149 {
150   Uint8 final[128];
151   Uint32 i, n, m, state[4];
152 
153   /* magic initial states */
154   state[0] = 0x67452301;
155   state[1] = 0xEFCDAB89;
156   state[2] = 0x98BADCFE;
157   state[3] = 0x10325476;
158 
159   /* compute number of complete 64-byte segments contained in input */
160   m = inputLen >> 6;
161 
162   /* digest first m segments */
163   for (i=0; i<m; ++i)
164     md4step(state, (input + (i << 6)));
165 
166   /* build final buffer */
167   n = inputLen % 64;
168   memcpy(final, input + (m << 6), n);
169   final[n] = 0x80;
170   memset(final + n + 1, 0, 120 - (n + 1));
171 
172   inputLen = inputLen << 3;
173   w2b(final + (n >= 56 ? 120 : 56), &inputLen, 4);
174 
175   md4step(state, final);
176   if (n >= 56)
177     md4step(state, final + 64);
178 
179   /* copy state to result */
180   w2b(result, state, 16);
181 }
182 
183 }  // namespace net::weak_crypto
184 }  // namespace net
185